You can return to the original look by selecting English in the language selector
above.

Authentication and Access Control for
AWS Global Accelerator

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator
securely control access to
AWS resources, including AWS Global Accelerator resources. Administrators use IAM
to control who is
authenticated (signed in) and authorized (has
permissions) to use Global Accelerator resources. IAM is a feature included with your
AWS account at
no additional charge.

Concepts and Terms

Authentication – To sign in to AWS, you must use one of
the following:
root user credentials (not recommended), IAM user credentials, or temporary credentials
using
IAM roles. To learn more about these entities, see What is Authentication?.

All resources in an account are owned by the account, regardless of who created those
resources. You must be granted access to create a resource. However, just because
you created a resource doesn't mean that you automatically have full access to
that
resource. An administrator must explicitly grant permissions for each action that
you want to perform. That administrator can also revoke your permissions at any
time.

To help you understand the basics of how IAM works, review the following terms:

Resources

AWS services, such as Global Accelerator and IAM, typically include objects called
resources. In most cases, you can create, manage, and delete these resources
from the service. IAM resources include users, groups, roles, and
policies:

Users

An IAM user represents the person or application who uses its credentials to
interact with AWS. A user consists of a name, a password to
sign in to the AWS Management Console, and up to two access keys that can be
used with the AWS CLI or AWS API.

Groups

An IAM group is a collection of IAM users. Administrators can use groups to
specify permissions for member users. This makes it easier for an administrator to
manage permissions for multiple users.

Roles

An IAM role does not have any long-term credentials (password or access keys)
associated with it. A role can be assumed by anyone who needs it and has
permissions. An IAM user can assume a role to temporarily take on different
permissions for a specific task. Federated users can assume a role by using an
external identity provider that is mapped to the role. Some AWS services can
assume a service role to access AWS resources
on your behalf.

Policies

Policies are JSON documents that define the permissions for the object to which they
are attached. AWS supports identity-based
policies that you attach to identities (users, groups, or roles).
Some AWS services allow you to attach resource-based
policies to resources to control what a principal (person or
application) can do to that resource. Global Accelerator
does not support resource-based policies.

Identities

Identities are IAM resources
for which you can define permissions. These include users, groups, and roles.

Entities

Entities are IAM resources that you use for authentication. These include users and
roles.

Principals

In AWS, a principal is a person
or application that uses an entity to sign in and make requests to AWS. As a principal,
you can use the AWS Management Console, the AWS CLI, or the AWS API to perform an
operation (such as
deleting an accelerator). This creates a request
for that operation. Your request specifies the action,
resource, principal, principal account, and any
additional information about your request. All of this information provides AWS with
context for your request. AWS checks all the
policies that apply to the context of your request. AWS authorizes the request only
if
each part of your request is allowed by the policies.

Permissions Required to Use the
Global Accelerator Console

To access the AWS Global Accelerator console, you must have a minimum set of permissions
that
allows you to list and view details about the Global Accelerator resources in your
AWS account.
If you create an identity-based permissions policy that is more restrictive than the
minimum
required permissions, the console won't function as intended for entities with that
policy.

To ensure that those entities can still use the Global Accelerator console or API
actions, also attach
one of the
following AWS managed policies to the user, as described in Creating Policies on the JSON Tab:

GlobalAcceleratorReadOnlyAccess
GlobalAcceleratorFullAccess

Attach the first policy, GlobalAcceleratorReadOnlyAccess, to users who only
need to view information in the console or make calls to the AWS CLI or the API
that
use List* or Describe* operations.

Attach the second policy, GlobalAcceleratorFullAccess, to users who need to create
or make updates to accelerators. The full access policy includes full permissions for Global Accelerator as
well as describe permissions for Amazon EC2 and Elastic Load Balancing.

Note

If you create an identity-based permissions policy that does not include
the required permissions for Amazon EC2 and Elastic Load Balancing, users with
that policy will not be able to
add Amazon EC2 and Elastic Load Balancing resources to accelerators.

Permissions Required for
Authentication Management

To manage your own credentials, such as your password, access keys, and multi-factor
authentication (MFA) devices,
your administrator must grant you the required permissions. To view the policy that
includes these permissions, see
Allow Users to Self-Manage Their
Credentials.

As an AWS administrator, you need full access to IAM so that you can create and
manage users, groups, roles, and policies in IAM. You should use the AdministratorAccess AWS managed policy that includes full access to
all of AWS. This policy doesn't provide access to the AWS Billing and Cost Management
console or allow
tasks that require AWS account root user credentials. For more information, see
AWS Tasks That Require
AWS Account Root User Credentials in the
AWS General Reference.

Warning

Only an administrator user should have full access to AWS. Anyone with this policy
has permission to fully manage authentication and access control, in addition to modifying
every resource in AWS. To learn how to create this user, see Create your IAM Admin User.

Permissions Required for Access
Control

If your administrator provided you with IAM user credentials, they attached policies
to your IAM user to control what resources you can access. To view the policies that
are
attached to your user identity in the AWS Management Console, you must have the following
permissions:

If you need additional permissions, ask your administrator to update your policies
to
allow you to access the actions that you require.

Understanding How Global Accelerator Works with
IAM

Services can work with IAM in several ways:

Actions

Global Accelerator supports using actions in a policy. This allows an administrator
to
control whether an entity can complete an operation in Global Accelerator. For example,
to
allow an entity to call the GetPolicy AWS API operation to view a policy,
an administrator must attach a policy that allows the iam:GetPolicy action.

The following example policy allows a user to perform the CreateAccelerator
operation to programmatically create an accelerator for your AWS account:

Global Accelerator does not support resource-level permissions.
Resource-level permissions allow you to use ARNs to specify
individual resources in the policy.
Because Global Accelerator does not support this feature, you must choose
All resources in the policy visual editor. In a JSON policy document, you must use
* in the Resource element.

Resource-based policies

Global Accelerator does not support resource-based policies. With
resource-based policies, you can attach a policy to a resource within the service.
Resource-based policies include a Principal element to specify which IAM
identities can access that resource.

Authorization based on tags

Global Accelerator does not support authorization-based tags. This feature
allows you to use resource tags in the condition of a policy.

Temporary credentials

Global Accelerator supports temporary credentials. With temporary
credentials, you can sign in with federation, assume an IAM role, or
assume a cross-account role. You obtain temporary security credentials by
calling AWS STS API operations such as AssumeRole
or GetFederationToken.

Service-linked roles

Global Accelerator supports service-linked roles. This
feature allows a service to assume a service-linked role on your behalf. This role allows the
service to access resources in other services to complete an action on your
behalf. Service-linked roles appear in your IAM account, and are owned by
the service. An IAM administrator can view but not edit the permissions
for service-linked roles.

Service roles

Global Accelerator does not support service roles. This feature allows a
service to assume a service
role on your behalf. This role allows the service to access resources in other
services to complete an action on your behalf. Service roles appear in your IAM
account and are owned by the account. This means that an IAM administrator can change
the permissions for this role. However, this might break the functionality of the
service.

Troubleshooting Authentication and Access
Control

Use the following information to help you diagnose and fix common issues that you
might
encounter when working with IAM.

I am not authorized to perform an
action in Global Accelerator

If the AWS Management Console tells you that you're not authorized to perform an action,
you must
contact the administrator who provided you with your user name and password.

The following example occurs when an IAM user named my-user-name tries to
use the console to perform the globalaccelerator:CreateAccelerator action but does not have
permissions:

User: arn:aws:iam::123456789012:user/my-user-name is not authorized to perform: aws-globalaccelerator:CreateAccelerator on resource: my-example-accelerator

In this case, ask your administrator to update your policies to allow you to access
the
my-example-accelerator resource using the
aws-globalaccelerator:CreateAccelerator action.

I'm an administrator and want
to allow others to access Global Accelerator

To allow others to access Global Accelerator, you must create an IAM entity (user
or role)
for the person or application that needs access. They will use the credentials for
that
entity to access AWS. You must then attach a policy to the entity that grants them
the
correct permissions in Global Accelerator.